[BBLISA] maximizing DNS security
Dean Anderson
dean at av8.com
Fri Apr 2 16:19:14 EDT 2010
On Fri, 2 Apr 2010, Tom Metro wrote:
> Plain DNS has plenty of security problems, but what are the best
> practices for maximizing your DNS security. Specifically I'm wondering
> about how outsourced DNS, which leaves you open to social engineering
> attacks, compares to in-house management.
I'm not sure what you mean. That DNS protocol is insecure or DNS
Registrars are insecure? Outsourced DNS protocol is no more or less
secure than in-house DNS protocol.
Outsourced DNS registration or DNS operation shouldn't be vulnerable to
social engineering attack without some elaborate efforts at identity
theft. (ie "Hello, please change my MX record to ...") should be
identity-verifiable just like any other transaction. Social engineering
attacks require a deception to occur, and there is no reason that the
outsourcing company should easily accept deception, any more than your
ISP or bank should accept deception.
Using per-user SSL certificates doesn't improve one's ability to counter
social engineering efforts; That either makes no change or makes things
worse. What happens when you lose the certificate or the password? SSL
certs are just fancier passwords--sometimes helpful, sometimes not.
In any case, when you lose the login password or cert, someone has to
identify the owner based on paperwork: drivers license/id card,
corporate documents; billing account numbers and payment amounts.
--Dean
--
Av8 Internet Prepared to pay a premium for better service?
www.av8.net faster, more reliable, better service
617 256 5494
More information about the bblisa
mailing list